ChkRootkit vulnerability – privilege escalation

ChkRootkit is a rootkit detector, its job being to detect malicious software that could grant an unprivileged user, even a guest, full access to a machine. Imagine a website visitor taking control not only on the visited website, but also on the entire server hosting that specific website and most probably many other services.

Thomas Stangner reported a security flaw in the ChkRootkit detector, chkrootkit being one of the most popular rootkit detection applications used. It seems that Chkrootkit’s vulnerability allows a local attacker to gain root control by executing malicious code inside the /tmp directory.

Codenamed CVE-2014-0476, the rootkit vulnerability resides in the slapper() function in the shell script chkrootkit package, granting root execution for any file named “update” located in /tmp, chkrootkit executing it during its routine rootkit scans.

Way to go ChkRootkit! A rootkit scanner vulnerable to privilege escalation is like using a fishing net for a condom.

As Thomas Stangner suggested, a fix to this issue would be quotation marks around the assignment: